On Mon, Sep 29 2014, Joshua Harlow wrote: > Do we know that the users (keystone, neutron...) aren't vulnerable? > > From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems > like we would likely still have issues if custom implementations are being > used/created. Perhaps we should just use the defusedxml libraries until proven > otherwise (better to be safe than sorry). According to LP#1100282¹, Keystone and Neutron are supposed to not be vulnerable with different fixes than Nova. Since all the solutions are different, I'm not sure it covers the problem in its entirety in all cases. I see 2 options: 1. Put effort to move all projects to defusedxml 2. Since XML API are going to be deprecated (at least in Nova), move xmlutils to Nova and be done with it. Solution 1 requires a lot more effort, and I wonder if it's worth it. ¹ https://bugs.launchpad.net/bugs/1100282 -- Julien Danjou // Free Software hacker // http://julien.danjou.info -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140930/d34269b3/attachment.pgp>